2012 - The Year of Cyber Liability

For any observer of the online risk environment, the rise of cyber risks will not have gone unnoticed.  What started with a small number of “hack-tavists” has now become a global problem resulting in billions of dollars and pounds in losses. Mass-market awareness of security risks is gradually percolating beyond the high-risk sectors including financial institutions and healthcare.  The recent data breach suffered by Sony Corp in April 2010 garnered worldwide attention as it was revealed that the account data of some 100 million users of the Sony PlayStation Network was compromised by hackers.  In parallel with the loss environment, governments are increasingly looking at what remedial steps those entities dealing with sensitive data are required to take. Whilst the US presently leads the field in terms of the imposition of notification requirements and the remedial steps which need to be taken, it is clear from the proposed revamping of the EU’s data protection legislation that Europe is seeking to evolve its existing legal and regulatory framework.

The text of the EU’s new draft ‘Data Protective Regulation’ is currently in circulation having been released on 25^th January 2012.  Under the Regulations, any business entity which receives and processes (or sub contracts processing to a third party) personal data (information concerning an individual which also comprises financial data, such as credit card details) is required to take remedial steps to protect their customers from the subsequent abuse of that data where hacking has taken place.  The Regulations, somewhat onerously when compared to the current regime, directs that an EU Member State’s relevant supervisory authority would need to be notified within 24 hours of the breach occurring, where that is feasible.  Currently, in the UK only communication providers are required to report data breaches and fines are capped at £500,000. Under the proposed Regulations, companies can expect penalties of up to €1 million or 2% of global revenue for the most serious data breaches.  The EU’s aim in this respect is to seek greater harmonisation, and to bring its regime for dealing with breaches in line with that utilised for anti-competitive practices.  The EU will also hope that the proposed Regulations will set the global standard for other internet superpowers to follow.  The US government is currently reviewing its own regime, and it is anticipated that the White House will recommend a revised legal framework for privacy together with a new code of conduct, signaling a shift away from its largely self-regulated system.  India and China are also in the process of addressing privacy concerns, although it expected to be some time before any formal legislation is passed.

The current position

One of the first steps following the occurrence of a data breach should be to consider making a report to the regulatory authority.  In respect of UK breaches a report should be directed to the Information Commissioner’s Office (ICO), and the ICO has issued guidance on the type of breaches that should be reported. The current position is that the ICO reviews breaches of the Data Protection Act, the Freedom of Information Act and the Privacy and Electronic Communications Regulations.  In the US, whilst parties may debate whether data breach notices have to be made to the relevant regulatory authority, failure to do so may result in significant penalties being levied.

Following a breach a party then needs to:

a) understand how the breach occurred;
b) ensure that the breach does not occur again;
c) consider notifying individually all those persons affected by the breach;
d) take steps to compensate parties who have been affected, including (where financial data is stolen) credit monitoring of each affected customer for upwards of a year

The insurance market has now responded to (a), (c) and (d) by offering crisis management packages which cover the appointment of experts to establish how the breach occurred (typically referred to as forensic costs), costs relating to notification and ex-post response costs, which encompass costs relating to lawyers, public relations consultants (reputation is quite often the main if not the only casualty of such hack attacks), call-centres for the affected individuals and to provide credit monitoring (other insurances, such as a Tech PI policy or a Computer Crime Policy may provide cover for loss of the data itself or the medium containing the data).  Certain products also offer coverage for regulatory penalties and the defence costs incurred as part of that process as well as coverage for business interruption when business is lost due to the impairment of operations or denial of access.

In a recent study performed by PWC entitled ‘UK Information Securities Breaches Survey’, it was revealed that 92% of large companies (i.e. in excess of 250 employees) and 83% of small companies surveyed had a security incident in 2009.  Financial institutions, health care companies, retailers, media & tech companies, professional service companies, and others that deal with sensitive data are increasingly recognising the importance of having cyber liability insurance as part of their risk management programs.   Additionally, as an increasing number of high-profile data breaches come to light, so the appetite for data security and privacy insurance increases. 

As for the main products, whereas Tech PI policies provide coverage for a policyholder’s professional liability (i.e. third party losses), cyber liability operate on a first party loss basis (i.e. the costs incurred by a policyholder in dealing with a data breach).  There is frequently confusion as to whether a claim should be notified under the Tech PI or cyber liability.  In fact, cyber liability risks are often Tech PI risks.  For example, where the policyholder is merely the custodian of the data, and subsequently loses that data, this would be rightly classified a Tech PI.  Insureds should examine their policies carefully in order to understand how their policy operates and to avoid falling into the trap of merging these two distinct types of coverage.

In broad terms, the types of exposed data typically involved in cyber liability claims falls into three categories: PII (personally identifiable information), PHI (personal health information) and credit card details.  The causes underlying the loss of data also broadly fit into three categories: hacking, rogue employees and loss or theft.  The methods utilised by hackers are growing ever more sophisticated.  They have discovered how to circumvent firewalls and take up residence on their hosts systems as if they are a legitimate user.  They are then free to roam around undetected and carry out their desired objectives.  It has been acknowledged by some of the world’s leading IT companies, that however sophisticated a company’s IT security may be, it is pretty much impossible to prevent a highly sophisticated hacker from gaining access.  It is of key importance in this situation to identify the breach as early as possible via well organized risk management, for the purposes of damage limitation.

Insured entities should be under no doubt as to the costs which may be incurred where such data breaches occur - for example data breaches in the US where millions of individuals’ information has been lost or hacked have resulted in tens of millions of dollars of losses (despite not all the individuals affected taking up the offer of credit monitoring losses in the region of $21 per person can be considerable).  According to a study performed by Ponemon in conjunction with Symantec in 2010, it was revealed that in the US, the average organisational data breach costs approximately $7.2m while in the UK the average cost is £1.9m.  As more data is being managed and stored by organisations, so the cost involved in taking the required remedial steps after a breach increase exponentially.

The EU has, in proposing a stringent regime, pinned its flag to the mast: personal data is a commodity of increasing value in the digital age.  Its legislative response is inevitably going to have far reaching effects on those handling data in whatever capacity (and this is not restricted to electronically held information) and the financial (and reputational) implications of failing to comply with the proposed regime may be costly. In the event of a data breach, those entities which choose to self insure may well find that their balance sheet will be impacted considerably and coupled with their reputation, such breaches may well prove fatal to their business in this current age.